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<N ■ Abstract 

Recently, a chaotic cryptographic scheme based on composition maps was proposed. This 
paper studies the security of the scheme and reports the following findings: 1) the scheme can be 
broken by a differential attack with 6 + \\og L (MN)~\ chosen-plaintext, where MN is the size of 
plaintext and L is the number of different elements in plain-text; 2) the scheme is not sensitive to 
the changes of plaintext; 3) the two composition maps do not work well as a secure and efficient 
■ random number source. 

u; 

q ; 1 Introduction 

The development of information technology makes the transmission of digital data is carried out 
more and more frequently over all kinds of channels. Meanwhile, the security of digital data become 
more and more important. So, the demand of secure and fast encryption schemes become urgent. 
Due to the subtle similarities between cryptography and chaos, a great number of chaotic encryption 
£f) • schemes have been proposed in the past decade [l|; However, most of them have been 

found to be insecure in different extents from the view point of modern cryptography 0; H; @; [lO ; 11 
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refer to [181 ] 



303; Et| . As for how to evaluate the security of a chaotic cryptographic scheme, please 



In general, the usage of chaos in designing encryption scheme can be classified as three categories: 
1) generating pseudo-random number sequence, which is then used to determine position permuta- 
tion; 2) generating pseudo-random bit sequence, which is then used to determine combination and/or 
composition of some basic encryption operations; 3) generating ciphertext directly when the data of 
plaintext is assigned as the initial condition or control parameter of a chaotic map. In HIE El|], the 



possible application of composition of polynomial chaotic maps in designing encryption scheme was 
discussed. In this case, two composite polynomial chaotic maps are used to determine the position 
permutation and composition of basic encryption operations respectively. Since the schemes proposed 



m 



19 ; |2(J ] are preliminary version of the one proposed in [21[, this paper only focuses on the security 
of the latter. With our study, the following security problems are found: 1) the scheme can be broken 
with a differential attack; 2) the scheme is not sensitive with respect to the changes of plaintext; 3) 
the randomness of the pseudo-random number sequences generated by the two composition maps is 
weak. 

The rest of this paper is organized as follows. Section [5] describes the chaotic cryptographic 
scheme briefly. A comprehensive cryptanalysis on the scheme is presented in Sec. [3j The last section 
concludes this paper. 
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2 The Encryption Scheme Under Study 



In [2jJ], the structure of plaintext is not specified precisely. Without loss of generality, the plaintext 
here is denoted by a 2-D byte array of size M x N (height x width), I = j)}i<i<M and the 

1<j<JV 

corresponding ciphertext by I' = i<i<M . The plaintext is considered as a ID signal {I(k)}¥Jf 

l<j<N 

by scanning it in a raster order. Then, the chaotic cryptographic scheme can be described as follows 
0. 

• Secret key: three sets of initial condition and control parameter of Eq. (p}, (xo, ot\, 02), (x' , a^, o 2 ), 
(xjj, a*, a^)) one set of initial condition and control parameter of Eq. ([2]), (yg, 0:3, 04), and a 
secret number S £ {0, • • • , 255}. 



/(x) = -L tan 2 (5 arctan ( tan < 3 ) . (1) 



1 if- ( (. /I 



d{y) = — 2 cot y8 arctan ^3 tan ^4 arctan y—j^jjjj . (2) 
Initialization: 

— Iterate the map Eq. ([I]) MN times to obtain three states sequences, {ipi{k)}^fj( , {^(fc)}*^, 
{^(^Olfcl^i , under the three sets of initial condition and control parameter, (xo, 01,0:2), 
(x , 0^,02), (x^of,o^), respectively; 

— Iterate the map Eq. MN times to obtain a states sequence {V'3(^)}fcl 7 i under initial 
condition and control parameter (2/0,03,04); 

— Generate four pseudo-random number sequences, {(j>i(k)}ifj( , {<fe(&)}fc=i j {03(&)}fc=i > 
{^(ife)}^, as follows: ^(jfe) = [faQc) • 10 14 J mod M, <fe(jfe) = [ip 2 (k) ■ 10 14 J mod N, 
03 (fc) = L^ 3 (jfc) • 10 14 J mod 256, and 4 (jfc) = L^(^) ■ 10 14 J mod 256. 

Encryption: 

— Permutation: for k = 1 ~ MJV, swap the positions of two bytes /(fe) and I{<p\{k) ■ N + 
4>2{k)). Denote the permuted plaintext with I* = {I*(i,j)}i<i<M . 

l<j<N 

— Confusion I: for k = 1 ~ MiV, 

= 4> 3 (k) © + MQ) © " 1), (3) 

where I*(0) = S, and x + y = (x + y) mod 256. 

— Confusion II: for A; = 1 ~ MN, 

I'{k) =r (fe) 04 (k). (4) 

Decryption: The decryption approach is similar to the encryption one except that the main 
three encryption steps and the swap operations in the permutation step are carried out in a 
reverse order, and Eq. (|3|) is replaced by the following function. 



I*(k) = ((7*(fc) © I*{k - 1) © 3 (fc)) - 03(fc) + 256) mod 256. (5) 

lr To make the presentation more concise and complete, some notations in the original paper are modified, and some 
details about the scheme are supplied and/or corrected also. 
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3 Cryptanalysis 



3.1 Differential Attack 

Differential attack is an attack to recover the information about secret key and/or plaintext by 
analyzing the evolution of differences when some pairs of plaintexts are encrypted with the same 



secret key. In [2ll . Sec. 5.4], the authors claimed the encryption scheme under study can withstand 
differential attack effectively. However, we find that the scheme can be broken by this attack easily 
with the following steps. 



• Breaking Confusion I: 

If two plaintexts, Ii = {ii(&)}££^ and I 2 = {hik)}^^, are encrypted by the same secret key, 
one has the following equality. 

l[{k) ® l' 2 {k) = I{{k) @ Mk) @ I^k) ® Mk) 

= i{(k)®r 2 (k) 

= fo{k)®{I{{k) + fo{k))@Ii{k-l)® (6) 

= (im + Mk)) © (m) + uk)) © (mk - 1) © m - 1» 

= {Il{k) + Uk))®(P 2 (k) + h(k))®(l' 1 (k-l)®l' 2 (k-l)) (7) 

Furthermore, if the plaintexts, Ii and I2, are chosen of fixed value, one has 

(Ji(fc) ® I' 2 {k)) ® (I[(k - 1) ® I' 2 (k - 1)) = (Ji(fc) + Mk)) © (h(k) + h(k)) (8) 

Since the left part of the above equation, I\{k) and I 2 (k) are known, Eq. ([8]) can be simplified 
as the following equation. 

y = (a + x)®(b + x), (9) 

where a,b,x £ {0, 1, ■ • • 255}. 

It has been verified by computer that a set {x, x ® 128} can be determined uniquely with three 
different sets of (a, b), e.g. (9, 127), (1, 52), (33, 65). From Fact[[J one can see that 4>z{k) and 
4>3(k) ® 128 are equivalent with respect to the encryption. 



Fact 1 V a, b G Z, (a © 128) + b = (a + b) ® 128. 



• Breaking Confusion II: 

After {<fe(£0}fc=L nas been broken, only the step Confusion II is left for a plaintext of fixed 
value, Ii, I*(k) can be determined. Then, one has 

Mk) = i[(k)®r l {k), (10) 

for k = 1 ~ MN. 

• Breaking Permutation: 

After the steps Confusion I and Confusion II have been broken, only the step permutation 
is left. As shown in [23], any permutation-only cryptographic scheme can be broken with 
only O (log L (MN)) known/chosen plain-texts, where L is the number of different element in 
plain-text. 
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a) b) c) 




d) e) f) 

Figure 1: Six chosen plain-images for breaking Confusion I. 




Figure 2: The cipher-images of the above six chosen plain-images shown in Fig. [TJ 



To validate performance of the proposed attack, some experiments on some plain-images of size 
512 x 512 have been performed. Besides S = 33, the same secret key used in [2l|, Sec. 3] was adopted: 
(x ,a 1 ,a 2 ) = (25.687,2.10155,3.569221), {x' Q , a' x , a' 2 ) = (574.461,1.8874,4.23562), (xl,a\,a* 2 ) = 
(814.217217,2.8912,3.89954), (y 0} a 3 ,a 4 ) = (79.82,61.522,257.26223). The step Confusion I can be 
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a) 




Figure 3: Three chosen plain-images for breaking position permutation and the corresponding cipher- 
images. 




a) b) 
Figure 4: The recover of another plain-image encrypted with the same secret key. 

broken with the six chosen plain-images of fixed values, 9, 127, 1, 52, 33 and 65, as shown in Fig. Q] 
and the corresponding cipher-images shown in Fig. [2j Then, the plain-image shown in Fig. [T^,) and 
the corresponding cipher-images can break the step Confusion II. Finally, the step Permutation can 
be broken with [~log 256 (512 • 512)] = 3 special plain-images shown in Fig. [3l The obtained equivalent 
secret key was used to decrypt another cipher- image, as shown in Fig. 0^), and the result is shown 
in Fig. Hb). 

3.2 Some Other Security Defects 

• Problems about Secret Key; 
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As specified in [18|, Rule 5], the key space of a secure encryption scheme should be precisely 
specified and avoid non-chaotic regions. However, even with the measure used in |2l|], a great 
number of secret key should be excluded from the key space of the encryption scheme under 
study (see Fig. [5]). 




012345678 
alpha! 



Figure 5: The parameters of f{x) corresponding to positive Lyapunov exponent. 



• Insufficient Randomness of Pseudo- Random Number Sequences {(j)i(k)}, {4>2(k)}, {4>3(k)}, and 
{Mk)} 

To study the dynamic property of the two equations f{x) and g(x), we drew the graph of the 
two equations under a greater of number of random parameters. Due to the similarity, only the 
graphs of f(x) and g{x) with (01,02) = (2.10155,3.56922), (03,04) = (61.522,257.26223) are 
shown in Fig. Comparing the graphs of the two functions and y = x, one can assure that the 
states generated by iterating the two functions will approach zero soon after some iterations. 





a) f(x) 



b) g(x) 



Figure 6: The graph of f(x) and g(x). 



To further test the randomness of the sequences generated by the two equations, we adopted 
the test suite proposed in [23J]. Since the three sequences {4>i(k)}, {foik)}, and {4>4,(k)} are 



determined by the same equation, only the randomness of {<p3(k)} and {<p4(k)} was tested. 
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For every sequence, 100 samples of length 512 • 512/8 = 32768 (the number of bytes used for 
encryption of a gray-scale plain-image of size 512 x 512) were generated by random secret keys. 
For each test, the default significance level 0.01 was adopted. The results are shown in Table [IJ 
from which one can see that the two equations both cannot be used as a good random number 
generator. 

Table 1: The performed tests with respect to a significance level 0.01 and the number of sequences 
passing each test in 100 randomly generated sequences. 



Name of Test 


Number of Passed Sequences 


m 


g(x) 


Frequency 


6 


2 


Block Frequency (m = 100) 


10 


6 


Cumulative Sums-Forward 


6 


3 


Runs 


8 


3 


Rank 


68 


99 


Non-overlapping Template (m = 9, B = 110001000) 


76 


64 


Serial (m = 16) 


6 


9 


Approximate Entropy (m = 10) 


8 


6 


FFT 


65 


49 



• Insensitivity with Respect to Changes of Plaintext 

In (2ll . Sec. 5. 4], the importance of sensitivity with respect to changes of plaintext is recognized. 
However, the encryption scheme under study is actually very far away from the desired property. 
In cryptography, the most ideal situation about sensitivity is that the change of any single bit 
of plaintext will make every bit of the corresponding ciphertext change with a probability of 
one half. Obviously, the encryption scheme under study can not reach the desired state due to 
the following points. 

— No nonlinear S-box is involved in the whole scheme; 

— Any bit of plaintest only may influence the bits at the above levels in the ciphertext; 

— Any pixel of plaintext does not influence other pixels in the corresponding ciphertext 
uniformly. 

To demonstrate this defect efficiently, we performed an experiment by changing a bit of the 
plain-image of size 512 x 512 shown in Fig. [3b). It is found that only the bits of one level are 
changed. The locations of the changed bits are shown in Fig. where the white dots denote 
changed locations and black ones denote unchanged ones. 




a) ~ 4th b) 5th c) 6th c) 7th 

Figure 7: The locations of changed bits of the cipher-image, when the 5-th bit of the pixel at location 
(256, 256) in the plain-image was changed. 
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4 Conclusion 



In this paper, the security of a chaotic cryptographic scheme based on composition maps has been 
studied in detail. It is found that the scheme can be broken with 6 + \log L (MN)~\ chosen-plaintext. 
In addition, the scheme is not sensitive to the changes of plaintext also. Furthermore, the randomness 
of the pseudo-random number sequences generated by the composition maps is very weak. Due to 
the insecurity of the scheme under study, it is should not be used in real serious application. 
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